squid
squid copied to clipboard
Bug 5283: Cache Manager mgr:info returns 403
When handling a request with an http://target/squid-internal...
URL
(e.g., cache manager pages and MIME icons), Squid needs to determine
whether the URL points at the current/receiving Squid port. Requests
with such URLs are marked as "internal requests" (their flags.internal
becomes true). Internal requests are satisfied by the current instance.
Otherwise, Squid forwards the request to its intended target.
When looking for internal requests, Squid requires a port number match and also compares the request target with various addresses, such as IPs determined by http_port configuration and by visible_hostname and hostname_aliases directives:
Until this change, Squid did not treat the "localhost" target specially.
Now, requests targeting localhost are considered matching the receiving
port if that port was configured with a wildcard IP address (which is
the default port address) or a localhost address (e.g., 127.0.0.1). We
are adding this temporary special handling because, since commit
a4e35bd8ffe51cda83e63faab79bda5a838c7e1a, squidclient defaults to
sending http://localhost:3128/squid-internal...
URLs when handling
mgr:page parameters[^1]. Many Squids forward those URLs and create a
forwarding loop with an ERR_ACCESS_DENIED outcome. Until a better
solution is implemented, we want those default squidclient mgr:page
requests to resume working with (most) Squids running on the same host,
even if Squid does not otherwise treat "localhost" as one of its names.
Squid now also treats requests with internal URLs targeting the receiving port's listening IP address as internal requests.
The added checks do not cover all cases where older Squids classified cache_object requests as internal and allowed them; Squid continues to reject some of the same-host mgr:info requests.
[^1]: Prior to that commit, squidclient defaulted to sending cache
manager URLs with a cache_object://
scheme that Squid handled as
targeting the current instance regardless of the host name in the URL.
Internal URLs with an http://
scheme targeting "localhost" would fail
back then as well, but squidclient did not send them by default.